UP | HOME
../../ | NoSlides

Mandatory Access Control (MAC)

Table of Contents

1 MAC Overview

  1. System defined access control: Required ("Mandatory") for all.
    1. Users cannot override the policy.
    2. Access control at a much finer granularity.
  2. MAC enforcement requires all policies to be specified by an administrator. Users cannot change these policies
  3. Principle of Least Privilege
  4. SELinux is a MAC design and implementation adapted to Linux.

1.1 MAC Overview #2

  1. Controls objects (and "subjects") such as processes, inodes, files, etc.
  2. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed.
    1. Ex: wish to control access to /etc/shadow
    2. Ex: wish to control a process

1.2 MAC Overview #3

  1. MAC is mainstream now: Linux, Windows, OS X, Android, iOS
    1. In addition to DAC
  2. Linux MAC solutions: AppArmor, SELinux, Smack, TOMOYO
    1. Ubuntu distribution uses AppArmor; can apt-get install selinux
    2. RedHat distribution uses SELinux
  3. DAC to MAC flow

dac-mac-flow1.png

Figure 1: Simplified DAC to MAC flow

dac-mac-flow2.png

Figure 2: Detailed DAC to MAC flow

2 Sensitivity Labels

  1. DAC limits access to files, processes, … through the notions of owner, group and the rest of the users. This model is unacceptable for higher levels of security. Additional security attributes called sensitivity labels (SLs) are added to system resources such as files, processes, network ports, interfaces, and host addresses.
  2. Access control using system-enforced labels is called mandatory access control (MAC).
  3. ""For example, incoming packets from a network interface can be assigned SLs, perhaps based on the source IP address or the network interface. Outgoing packets will have the label of the process or daemon that created them. An incoming or outgoing packet will be dropped if the SL of the packet is not valid for both the interface and the remote host.
  4. ""Network services, such as HTTP daemons and associated CGI scripts, can be given read-only access to web pages and CGI directories and can be completely isolated from other resources (such as internal network interfaces, system files, and other network daemons).
  5. ""A network server configured in this way can protect its web pages and CGI scripts from ever being modified from an external connection, even if damaging bugs exist in the software that allow incoming users to execute any random sequence of machine instructions.

3 Domain and Type Enforcement (DTE)

  1. DTE is a mandatory access control system, which assigns "types" to files, and "domains" to processes.
  2. DTE controls access from domains to types, domain transitions, and signal access between domains, based on a DTE policy which is read at boot time.
  3. Type enforcement is a partially ordered non-hierarchical labeling system combined with access mapping from a similarly labeled execution domain.
  4. For labeling subjects, all processes are confined to "domains".
  5. Objects (e.g., disk files) have labels known as "types".
  6. Each domain has specific permissions to do things to any particular type, say to read files in that type. Processes cannot change domains unless the system lets them.
  7. Domain configurations are either strictly controlled or cannot even be modified in multi-user mode, depending on the implementation.
  8. Type access can be any of read, write, execute, create, and directory descend.
  9. Domain access refers the right to send signals as well as that to transition to a new domain.
  10. A process belongs to exactly one domain at any particular time. A process transitions to a new domain by executing a file which has been defined as an entry point to that domain.
  11. The three types of domain transitions are auto, exec, or none. If Domain A has auto access to domain B, and a process in domain A executes an entry point for domain B, then the process will be automatically switched to domain B. If domain A has exec access to domain B, then a process running under domain A can choose whether to switch to domain B on execution of one of B's entry points.

4 NSA Security Enhanced Linux MAC

  1. SELinux is a MAC design and implementation adapted to Linux.

5 References

  1. http://www.linux.com/learn/docs/727873-overview-of-linux-kernel-security-features/ 2013 Good overview. Highly recommended reading.
  2. Don Porter, CSE 506 MAC vs. DAC
  3. https://tthtlc.wordpress.com/2012/07/22/don-porter-and-his-linux-kernel-related-resources/
  4. Don Porter, https://www3.cs.stonybrook.edu/~porter/courses/cse506/f12/slides/selinux-handout.pdf

6 End

Copyright © 2018 www.wright.edu/~pmateti • 2018-08-15